CVE-2008-0128
Severity CVSS v4.0:
Pending analysis
Type:
CWE-16
Configuration Errors
Publication date:
23/01/2008
Last modified:
09/04/2025
Description
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Impact
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* | 5.5.20 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
- http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
- http://rhn.redhat.com/errata/RHSA-2008-0630.html
- http://secunia.com/advisories/28549
- http://secunia.com/advisories/28552
- http://secunia.com/advisories/29242
- http://secunia.com/advisories/31493
- http://secunia.com/advisories/33668
- http://security-tracker.debian.net/tracker/CVE-2008-0128
- http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
- http://www.debian.org/security/2008/dsa-1468
- http://www.redhat.com/support/errata/RHSA-2008-0261.html
- http://www.securityfocus.com/archive/1/500396/100/0/threaded
- http://www.securityfocus.com/archive/1/500412/100/0/threaded
- http://www.securityfocus.com/bid/27365
- http://www.vupen.com/english/advisories/2008/0192
- http://www.vupen.com/english/advisories/2009/0233
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39804
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
- http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
- http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
- http://rhn.redhat.com/errata/RHSA-2008-0630.html
- http://secunia.com/advisories/28549
- http://secunia.com/advisories/28552
- http://secunia.com/advisories/29242
- http://secunia.com/advisories/31493
- http://secunia.com/advisories/33668
- http://security-tracker.debian.net/tracker/CVE-2008-0128
- http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
- http://www.debian.org/security/2008/dsa-1468
- http://www.redhat.com/support/errata/RHSA-2008-0261.html
- http://www.securityfocus.com/archive/1/500396/100/0/threaded
- http://www.securityfocus.com/archive/1/500412/100/0/threaded
- http://www.securityfocus.com/bid/27365
- http://www.vupen.com/english/advisories/2008/0192
- http://www.vupen.com/english/advisories/2009/0233
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39804
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E